Groups spanning domains with Microsoft Active Directory
The domains and forests functional levels of the Microsoft Active Directory control which configurations are available for use. How you configure Microsoft Active Directory affects how group membership is determined within WebSphere® Application Server. Using groups to configure your Microsoft Active Directory installation with the product allows flexible management.
- Domain Functional Levels
- Native
- Supported by Windows Server 2008 and Windows Server 2008 R2
- Default in Windows 2008
- Native
- Forest Functional Levels
- Windows Server 2008
or Windows Server 2008 R2
- All domains operate at the Windows Server
2008 domain functional level.
If the forest functional level is set to Windows Server 2008, then that also makes the domain functional level for all domains to be Windows Server 2008 Native level, which adds to the group nesting and Universal groups features to Microsoft Active Directory.
- All domains operate at the Windows Server
2008 domain functional level.
- Windows Server 2008
or Windows Server 2008 R2
Microsoft Active Directory groups
- Groups are typically a collection of user accounts.
- Members receive permission given to groups.
- Users can be members of multiple groups.
- Groups can be members of other groups, which are nested groups.
- Security groups: Microsoft Active Directory uses security groups for granting permissions to gain access to resources.
- Distribution groups: Distribution groups are used by Windows-based applications as lists for nonsecurity-related functions. Distribution groups are used for sending email messages to groups of users. You cannot grant Windows permissions to distribution groups.
- Domain local group:
- Windows usage: Members of this group can come from any domain, but can access Windows resources only in the local domain. Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native, and interim functional level of domains and forests.
- Restriction: You cannot define group nesting in a domain local group. A domain local group cannot be a member of another domain local group or any other group in the same domain.
- WebSphere usage: Users are not typically placed in domain - local groups due to these restrictions. WebSphere Application Server security roles are not typically bound to domain local groups.
- Global Group:
- Windows usage: Members
of this group originate from a local domain, but can access Windows resources in any domain.
The global group is used to organize users who share similar Windows network access requirements.
You can add members only from the domain in which the global group
is created. You can use this group to assign permissions to gain access
to Windows resources that
are located in any domain in the domain, tree, or forest.
You can group users with similar function under global scope and give permission to access a Windows resource, such as a printer or shared folder and files, that is available in local or another domain in the same forest. You can use global groups to grant permission to gain access to Windows resources that are located in any domain in a single forest as their memberships are limited. You can add user accounts and global groups only from the domain in which global group is created.
Nesting is possible for global groups within other groups as you can add a global group into another global group from any domain. Members of a global group can be members of a domain - local group. Global groups exist in all mixed, native, and interim functional levels of domains and forests.
WebSphere Application Server usage: Global groups are visible on every domain controller, but memberships are only visible for local users. That is, you can see your group memberships only if you query your home domain controller. A global group should contain groups of users. Global groups are intended to be included in universal groups.
- Windows usage: Members
of this group originate from a local domain, but can access Windows resources in any domain.
The global group is used to organize users who share similar Windows network access requirements.
You can add members only from the domain in which the global group
is created. You can use this group to assign permissions to gain access
to Windows resources that
are located in any domain in the domain, tree, or forest.
- Universal Group:
- Windows usage: Members in this group can come from any domain and access Windows resources in multiple domains. Universal group memberships are not limited like global groups. All domain user accounts and groups can be members of a universal group.
- Restrictions:
- Universal groups are available when the domain is at a Windows mixed functional level.
- It can be expensive to replicate this data across the forest. Group definitions and deletions
are relatively rare compared to the equivalent user actions, and nested group membership changes are
typically rare compared to memberships of users within groups, Avoid trouble: Consult appropriate Microsoft Active Directory information concerning any implications of replicating data across forests.
- WebSphere usage:
- Universal Groups and their memberships are visible on every domain controller in the forest.
- Universal groups are also visible when using the Global Catalog. To be useful, all user objects must be directly in the universal group,
Universal group guidelines- Assign permissions to universal groups for Windows resources in any domain in the network.
- Use universal groups only when their membership is static. Changes in membership can cause excessive network traffic between domain controllers. Membership of universal groups can be replicated to many domain controllers.
- Add global groups from several domains to a universal group.
- Assign permissions for access to a Windows resource to the universal group and for use by WebSphere Application Server group membership resolution across multiple domains.
- Use a universal group in the same way as a domain local group to assign resource permissions.